South Korea’s financial sector hit by Qilin supply-chain ransomware attack

South Korea’s financial industry has been hit by what security researchers describe as a sophisticated supply-chain attack that targeted more than two dozen organizations with Qilin ransomware.

According to a new report from Bitdefender, the operation combined the capabilities of the prolific Ransomware-as-a-Service (RaaS) group Qilin with possible involvement from North Korean state-affiliated hackers known as ‘Moonstone Sleet.’ The attackers are believed to have gained initial access by compromising a managed service provider (MSP).

Qilin has become one of the most aggressive ransomware groups of 2025, claiming more than 180 victims in October alone and accounting for nearly 29% of all known attacks. Bitdefender began investigating after an unusual surge in South Korean ransomware victims in September, when the country jumped from averaging two cases a month to 25, making it the second most targeted nation after the US.

All 25 incidents were linked to Qilin, including 24 within the financial sector. The attackers labeled the campaign “Korean Leaks,” ultimately stealing more than 1 million files and 2 terabytes of data across 28 victims. Posts referencing four additional entities later disappeared from the group’s data-leak site, suggesting ransom negotiations or internal removal policies.

Though Qilin is believed to have Russian origins, the group describes itself as politically motivated and operates a traditional affiliate-based model, sharing up to 20% of ransom proceeds with recruited hackers. One notable affiliate, North Korea’s Moonstone Sleet, has previously deployed custom ransomware such as FakePenny and was observed delivering Qilin malware earlier this year.

Bitdefender says that the attackers likely infiltrated a single upstream MSP, enabling widespread compromise across client networks. South Korean media previously reported that more than 20 asset-management firms were hit after the September breach of local IT service provider GJTec that manages servers and computer systems for asset managers and other financial institutions.


Back to the list

Latest Posts

New agentic browser attack lets emails trigger Google Drive wipe

Because the agent interprets the message as legitimate workload, it may execute the destructive steps without prompting the user for approval.
8 December 2025

Portugal updates legislation to protect ethical security research

To qualify, researchers must ensure their work is solely aimed at uncovering flaws they did not create and contributes to improved security.
8 December 2025

MuddyWater deploys new UDPGangster backdoor in attacks across the Middle East

The cyber-espionage activity has primarily targeted users in Turkey, Israel, and Azerbaijan.
8 December 2025
Popular Posts
Featured vulnerabilities
Remote command execution in ArrayOS AG
High Patched | 08 Dec, 2025
Denial of service in c-ares
Medium Patched | 08 Dec, 2025
Multiple vulnerabilities in WatchGuard Fireware OS
Medium Patched | 08 Dec, 2025
Two DoS vulnerabilities in PowerDNS Recursor
Medium Patched | 08 Dec, 2025
Multiple vulnerabilities in Citrix XenServer
Low Patched | 08 Dec, 2025